The SEI helps advance software engineering principles and practices and serves as a national resource in software engineering, computer security, and process improvement. The SEI works closely with defense and government organizations, industry, and academia to continually improve software-intensive systems. Its core purpose is to help organizations improve their software engineering capabilities and develop or acquire the right software, defect free, within budget and on time, every time.

CERT Study Examines Chinese Cyber Espionage Unit's Infrastructure

In February 2013, Mandiant uncovered Advanced Persistent Threat 1 (APT1)—one of China's alleged cyber espionage groups—and provided a detailed report of APT1 operations. Mandiant's report included 3,000 indicators of the group's activity since 2006. It also analyzed unclassified data sets in an attempt to understand APT1's middle infrastructure: the system of hops, distribution points or relays, and the command and control (C2) servers that sit between APT1's victims and main C2 servers located overseas. To build that infrastructure, APT1 chose and exploited particular organizations to obfuscate communications while remaining in plain sight.

This new analysis from CERT, based on data from IP addresses known to be associated with APT1 and domain names provided by Mandiant, was conducted using a combination of System for Internet Level Knowledge (SiLK) tools, Microsoft Excel, and custom Python scripts. By combining key unclassified information, the authors successfully described a large, malicious network used to steal important information.

This study is aimed at the vast network of middle infrastructure—the pieces that sit between end targets and the home base—which comprises intermediary C2 servers, malware servers, and hop points used to push sensitive information along to APT1.